Revision as of 13:52, 19 July 2011

Contents

Introduction

The article describes how you can setup a Single Sign On Zarafa WebAccess with Active Directory domain controller.
This article has been tested on Red Hat Enterprise Linux server 5, but can also be used as basis for other distributions.

Prerequisites

It is assumed the following prerequisites are in place (document has been tested with RHEL 5):

Windows Server 2003 R2 or 2008 SP1 which is configured as domain controller

Windows XP or Vista client that has joined the Windows domain

The webserver is placed in a different domain in this case. This is no requirement, but this makes the document a bit more clear on how to create the Kerberos principal (this can be tricky if you have the servers in different domains).

In this example, the following servers and realms will be referenced:

AD Server dc.example.com

Linux Server zarafa.testdomain.com

Kerberos Realm EXAMPLE.COM

Make sure that both servers are reachable via their FQDN (Fully Qualified Domain Name) and the PTR records are ok.
For time synchronization, configure NTP on all machines.

Replace the kdc and admin_server with the FQDN of the Domain Controller.

Restart Apache to activate all changes:

service httpd restart

Zarafa configuration

To setup a Single Sign On environment for Zarafa Collaboration Platform, you need to make a trust between the Apache webserver and the Zarafa Storage Server. The trust is necessary to handle the Webaccess authentication by the Apache webserver, not by the Zarafa Storage Server anymore.

Change the following line in the /etc/zarafa/server.cfg file:

local_admin_users = root apache

To configure the Zarafa WebAccess for Single Sign On change the following option in the config.php file:

define("LOGINNAME_STRIP_DOMAIN", true);
Note: In this configuration we assume the Zarafa WebAccess is installed on the same server as the Zarafa Storage Server.

Restart the Zarafa-server processes to activate this change.

service zarafa-server restart

Web browser configuration

Before you can use Single Sign On in your browser, configure the following settings:

Firefox

Type in the addressbar about:config

Filter on auth

Change the options: network.negotiate-auth.trusted-uris and network.negotiate-auth.delegation-uris to .testdomain.com

Internet Explorer

Go to Tools -> Internet options -> Advanced

Make sure the option "Enable integrated Windows authentication" is enabled

Restart your browser and open the Webaccess via the FQDN (http://zarafa.testdomain.com/webaccess). If the configuration is done correctly, the user will be logged in to the Webaccess without typing the username and password.